libssh versions 0.5.1 and above have a logical error in the handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer dereference. This is the packet after the initial key exchange and doesn't require authentication. Both client and server are are vulnerable, pre-authentication and pre-crypto and and can be explointed with a MITM attack. This could be used for a Denial of Service (DoS) attack. Acknowledgements: Red Hat would like to thank the libssh team for reporting this issue. The libssh team acknowledges Mariusz Ziulek from the Open Web Application Security Project (OWASP) as the original reporter.
Created attachment 1016896 [details] Suggested patch
The former patch applies to libssh 0.6.4 cleanly. The latter patch does not (perhaps against a different 0.6.x). Brew build for RHEL 7: https://brewweb.devel.redhat.com/taskinfo?taskID=9017188
libssh 0.6.5 has been released to address the issue! https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
External References: https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
Created libssh tracking bugs for this issue: Affects: fedora-all [bug 1218076] Affects: epel-all [bug 1218077]
libssh-0.6.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.6.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.5.5-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.7.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.